FREAK Attack Vulnerability

nixonc85
New Contributor III

FYI SSL/TLS vulnerability: https://freakattack.com

Chrome is already patched so suggest you update.

Safari patch should be available this week.

There are also tools to test if HTTPS server is vulnerable. I will check my JSS and post results back.

Apologies if this is a duplicate post, could not find anything with a quick search.

2 REPLIES 2

nixonc85
New Contributor III

As an update I checked the default tomcat configuration on the JSS and the following ciphers are listed for the JSS port. As none show 'EXPORT' in the name I think this means it is not vulnerable.

ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"

I don't currently run any JDS servers so have not checked these.

lucas_sc
New Contributor

Patches for Safari had been rolled up into Security Update 2015-002, available now from Apple for Mountain Lion, Mavericks and Yosemite. Note that according to the System Requirements the Yosemite update requires 10.10.2.

https://support.apple.com/downloads/

Happy patching!